TL;DR: Google reviews are the single most visible trust signal for hospice and home health agencies — 84% of patients check online reviews before choosing a provider, and 34% of all Google reviews are for healthcare services. But most review-building strategies used by other industries violate HIPAA when applied to healthcare. You can't email patients asking them to describe their care. You can't text a direct link that confirms someone received services. You can't incentivize reviews with gift cards. This article gives you seven specific, HIPAA-compliant methods to systematically grow your Google review count — plus the exact workflows, scripts, and tools that keep you on the right side of federal law.

Why Google Reviews Are the #1 Growth Lever You're Probably Ignoring
The HIPAA Problem With Standard Review Strategies
The Core Rule: Never Confirm the Patient Relationship
Seven HIPAA-Safe Methods to Build Your Google Reviews
Method 1: The In-Person Ask at Discharge or Transition
Method 2: The General-Audience Print Card
Method 3: The HIPAA-Compliant Email Campaign
Method 4: The Website Review Funnel
Method 5: The Community Event Follow-Up
Method 6: The Family Caregiver Support Touchpoint
Method 7: The Staff Advocacy Program
What You Absolutely Cannot Do (Even If Competitors Are Doing It)
Building a Monthly Review Workflow
How Many Reviews Do You Actually Need?
Frequently Asked Questions

Why Google Reviews Are the #1 Growth Lever You're Probably Ignoring {#why-google-reviews}

The data on reviews and healthcare provider selection has reached a tipping point. According to a 2025 rater8 report on how patients choose their doctors, 84% of patients check online reviews before choosing a new healthcare provider, and they trust those reviews as much as personal recommendations from friends and family.

For post-acute care specifically, the numbers are even more striking:

| Metric | Data Point | Source | |--------|-----------|--------| | Patients checking reviews before choosing a provider | 84% | rater8 2025 Patient Choice Report | | Share of all Google reviews that are healthcare | 34% — highest of any industry | Guaranteed Removals 2025 Healthcare Review Statistics | | Patients who read 10+ reviews before deciding | 50% | RepuGen 2025 Patient Review Survey | | Patients requiring a minimum 4-star rating | 83% | RepuGen 2025 Patient Review Survey | | Revenue impact of one additional star | 5–9% increase | Harvard Business School / Yelp Revenue Study | | Patients who avoid providers with too many negative reviews | 40% | Sprypt 2025 Patient Review Impact Analysis |

The financial math is simple. If your agency serves 150 patients annually and a one-star rating improvement drives even a 5% revenue increase, that's the equivalent of 7–8 additional patients per year. For a home health agency billing Medicare at roughly $3,500 per episode, that's an additional $24,500–$28,000 in annual revenue from reviews alone.

Yet most post-acute agencies have fewer than 10 Google reviews. According to NHPCO's 2024 Facts and Figures report, there are approximately 5,900 hospice providers in the United States. Search any mid-size market on Google Maps and you'll find that the majority of hospice and home health listings have between 2 and 8 reviews — many with zero.

The agencies that figure out how to build reviews compliantly will dominate local search in their markets. The ones that don't will remain invisible.

The HIPAA Problem With Standard Review Strategies {#hipaa-problem}

Every review-building guide written for restaurants, law firms, and retail businesses follows the same playbook: collect customer email or phone at point of service, send an automated follow-up requesting a review 24–48 hours later, include a direct link to your Google Business Profile. Simple, effective, and completely illegal for healthcare providers.

Here's why. Under HIPAA's Privacy Rule (45 CFR § 164.502), any information that connects an individual to the receipt of healthcare services is protected health information (PHI). That means:

Sending a post-visit email saying "Thank you for choosing ABC Hospice — please leave us a review" confirms that the recipient is a patient. The email itself constitutes a disclosure of PHI because it reveals the patient relationship to anyone who accesses that inbox.

Texting a review link to a patient's phone confirms they received services. If a family member, employer, or anyone else sees that text, you've disclosed PHI without authorization.

Using your EHR or patient management system to generate review request lists means you're using PHI for marketing. Under HIPAA's marketing provisions (45 CFR § 164.501), using PHI to send marketing communications requires written authorization from the patient — not just a general consent form.

The penalty structure reinforces why this matters. As of 2025, HIPAA violation fines range from $145 per violation (unknowing) to $2,190,294 per violation (willful neglect, uncorrected), with a calendar-year cap of $2,134,831 per identical provision. OCR collected $9.9 million in fines in 2024 alone — a 37% increase over 2023, according to HHS enforcement data.

The real-world cases are instructive. Dr. U. Phillip Igbinadolor, D.M.D. paid a $50,000 fine for disclosing PHI in response to a negative online review. A New Vision Dental practice was fined $23,000 for a similar violation. These weren't data breaches or ransomware attacks — they were providers trying to manage their online reputation and accidentally disclosing PHI in the process.

For a deeper dive into what HIPAA allows and prohibits in review responses, see our companion article: Online Reviews and HIPAA for Home Health and Hospice.

The Core Rule: Never Confirm the Patient Relationship {#core-rule}

Every HIPAA-safe review strategy follows one foundational principle: you must never confirm — through any communication channel — that a specific person is or was a patient or client of your agency.

This means your review solicitation cannot:

Be sent exclusively to patients (which confirms the recipient list = patient list)
Reference their care, diagnosis, treatment, or services received
Come from a system that only patients have access to (like a patient portal)
Be triggered by a clinical event (admission, discharge, visit completion)

What it can do:

Be part of a general communication to your broader community
Be available to anyone who interacts with your agency in any capacity
Use language that doesn't assume the person receiving it is a patient
Come through channels that aren't linked to patient records

The distinction is subtle but legally critical. A sign in your office that says "Leave us a Google review!" is compliant because anyone who walks in — patients, families, referral partners, vendors, job candidates — sees it. An email sent from your EHR to every discharged patient saying "How was your care? Leave us a review" is not compliant because the email confirms the patient relationship.

Seven HIPAA-Safe Methods to Build Your Google Reviews {#seven-methods}

These methods have been vetted against HIPAA requirements and reflect best practices from HHS guidance on marketing communications, the AMA's guidance on HIPAA and online reviews, and healthcare marketing compliance attorneys. Each method includes the exact implementation steps and a compliance note explaining why it's safe.

Method 1: The In-Person Ask at Discharge or Transition {#method-1}

How it works: A staff member verbally mentions that the agency values feedback and hands the patient or family member a printed card (see Method 2) with the agency's Google review link or QR code.

When to use it: During discharge planning conversations, at the conclusion of a hospice admission visit when rapport has been established, or during any in-person interaction where the topic of satisfaction comes up naturally.

The script:

"We always appreciate hearing from the families we work with. If you'd ever like to share your experience, we have a page on Google where community members can leave feedback. No pressure at all — here's a card with the link if you're interested."

Why this is compliant: The ask happens in a private, in-person setting where no PHI is transmitted electronically. The language uses "families we work with" rather than confirming a patient relationship. The card itself contains no PHI — it's a generic card identical to one you'd hand to anyone. According to SearchEngineLand's healthcare review compliance guide, in-person solicitation is the safest review-building method for healthcare providers because it occurs within the existing care relationship and leaves no electronic trail of PHI.

Pro tip: Train staff to read the room. Never ask during moments of grief, crisis, or clinical distress. The best timing for hospice agencies is during a bereavement follow-up or after a family has expressed unsolicited gratitude. For home health, the conclusion of a successful episode of care is the natural window.

Method 2: The General-Audience Print Card {#method-2}

How it works: Create a simple printed card with your agency name, Google review QR code, and a short message. Place these in your office waiting area, include them in welcome folders, and hand them out at community events.

Card content example:

[Your Agency Name] We'd love to hear from you. Scan the QR code to share your experience on Google. [QR CODE] Or visit: g.page/[your-business]/review

Why this is compliant: The card contains no PHI. It doesn't reference patients, services, or healthcare. It's identical to a card a restaurant or law firm might use. Anyone who encounters it — not just patients — can use it. As Chatmeter's guide to Google reviews for healthcare notes, QR code cards provide a direct, frictionless path to the review platform while keeping PHI completely out of the process.

Distribution points:

| Location | Why It Works | |----------|-------------| | Office reception area | Visible to all visitors, not just patients | | Welcome packets/folders | Provided alongside general agency information | | Community health fairs | Distributed to general public attendees | | Referral partner offices | Visible to anyone, reinforces your brand | | Staff ID badge lanyards | Always available for spontaneous asks | | Vehicle dashboards (field staff) | Ready for in-home visit conversations |

Method 3: The HIPAA-Compliant Email Campaign {#method-3}

How it works: Send a review request email to a general mailing list — not a patient-only list. The email must go to everyone on the list, not a segment of "current patients" or "recently discharged."

Critical requirement: The email list must include non-patients. If you maintain a community newsletter, referral partner list, or general contact list, this is your vehicle. If the only email list you have is your patient roster, this method is not compliant.

Email example:

Subject: Help us serve our community better

Hi [First Name],

At [Agency Name], we're committed to providing the best possible care and service to our community. If you've had an experience with our team — whether as a family member, community partner, or in any other capacity — we'd love to hear about it.

[Leave a Google Review →]

Your feedback helps other families find quality care when they need it most. Thank you for being part of our community.

Why this is compliant: The email goes to a general audience list, not a patient-specific list. The language doesn't confirm any patient relationship — it says "if you've had an experience" rather than "thank you for being our patient." According to LuxSci's guide on online reviews and HIPAA compliance, a HIPAA-compliant email solution with message encryption allows you to ask for reviews in a compliant manner, provided the recipient list doesn't constitute PHI.

Technical safeguards:

Use a HIPAA-compliant email platform (not your EHR's messaging system)
Never pull recipient lists from clinical records
Ensure the email platform has a signed Business Associate Agreement if it stores any contact information that originated from patient records
Include an unsubscribe mechanism per CAN-SPAM requirements

Method 4: The Website Review Funnel {#method-4}

How it works: Add a prominent "Share Your Experience" page or widget to your agency website that links directly to your Google Business Profile review form. This is a passive solicitation method — visitors find it on their own.

Implementation:

Create a dedicated page at youragency.com/reviews or youragency.com/share-your-experience
Include a brief message thanking visitors for considering leaving feedback
Embed a direct link to your Google review form (format: https://search.google.com/local/writereview?placeid=[YOUR_PLACE_ID])
Add the page link to your site footer, contact page, and email signature

Why this is compliant: Your website is publicly accessible. Anyone can visit it and click the review link. The page doesn't confirm that the visitor is a patient — it simply provides an opportunity for anyone to leave feedback. This is no different from any other business's review page.

Optimization tips:

Include your Google review link in your general email signature (not patient-facing clinical emails)
Add the link to your agency's social media profiles
Feature a rotating selection of existing reviews on your homepage (with permission from the reviewer, or only reviews posted on public platforms like Google)

Method 5: The Community Event Follow-Up {#method-5}

How it works: After hosting or participating in a community event — health fair, caregiver workshop, grief support seminar, continuing education lunch — send a follow-up email to attendees that includes a review request alongside event-related content.

Why it works: Event attendees are not patients. They're community members who interacted with your agency in a non-clinical setting. Asking them for a Google review is no different from a restaurant asking event attendees to leave feedback.

Email example:

Subject: Thank you for attending our Caregiver Wellness Workshop

Thank you for joining us at last week's Caregiver Wellness Workshop at [Location]. We hope the session on managing caregiver fatigue was helpful.

If you've had any interaction with [Agency Name] — through our events, services, or community partnerships — we'd appreciate you sharing your experience on Google. Your feedback helps families in our area find the resources they need.

[Leave a Google Review →]

Compliance advantage: This method is particularly valuable because it generates reviews from community members who can speak to your agency's expertise, professionalism, and community presence — without referencing any patient-care relationship. These reviews ("Great workshop on end-of-life planning" or "Very knowledgeable staff at the health fair") are both HIPAA-safe and valuable for SEO because they contain relevant keywords naturally.

Method 6: The Family Caregiver Support Touchpoint {#method-6}

How it works: Hospice agencies in particular have an opportunity to engage with family caregivers and bereaved family members through support programs. During non-clinical interactions — grief support groups, caregiver check-in calls, bereavement mailings — include a review request as part of the broader communication.

Critical distinction: Bereavement support is a covered hospice benefit, but general grief support groups open to the community are not inherently clinical. The key is how you structure the interaction:

Compliant: A grief support group open to the community, where attendees include people who never had a loved one in your care. A follow-up that asks all attendees for feedback is fine.
Not compliant: A bereavement mailing sent exclusively to families of deceased patients. This list is PHI, and any review request embedded in it constitutes using PHI for marketing.

The timing consideration: For hospice agencies, asking for a review too soon after a patient's death is not just a compliance risk — it's a relationship risk. Industry best practice, based on NHPCO's quality reporting guidance, suggests that any satisfaction-related outreach to bereaved families should occur no earlier than 30–60 days post-death and should never lead with a review request. Instead, it should lead with genuine support and include the review opportunity as a secondary element.

Method 7: The Staff Advocacy Program {#method-7}

How it works: Encourage your staff — nurses, aides, social workers, chaplains, office personnel — to leave honest reviews of your agency as a workplace on your Google Business Profile.

Why this is compliant: Staff are not patients. Their reviews are their own perspective on the agency. A review from a registered nurse saying "I've been with this agency for three years and the level of care we provide to families is exceptional" is valuable social proof that contains no PHI.

Implementation:

Include a Google review request in new hire orientation materials
Mention it during team meetings or staff appreciation events
Never require or incentivize reviews — they must be voluntary
Remind staff that their reviews should never mention specific patients, families, or clinical scenarios

Important limitation: Google's policies prohibit fake or incentivized reviews. Do not offer bonuses, gift cards, or any form of compensation for reviews — from staff or anyone else. According to Google's review policies, reviews must reflect genuine experiences and any form of compensation or requirement will result in review removal and potential listing suspension.

What You Absolutely Cannot Do (Even If Competitors Are Doing It) {#what-you-cannot-do}

Some review-building tactics are so common in other industries that healthcare providers adopt them without realizing the HIPAA risk. Here are the practices that are off-limits:

| Practice | Why It Violates HIPAA | Risk Level | |----------|----------------------|------------| | Emailing patients from your EHR/EMR asking for reviews | Confirms patient relationship using PHI | $50,000–$2.19M per violation | | Texting a review link to patients after a visit | Electronic disclosure confirming care was provided | $50,000–$2.19M per violation | | Using patient satisfaction survey responses to identify happy patients for review requests | Uses PHI (survey = clinical record) for marketing | $145–$2.19M per violation | | "Review gating" — asking satisfied patients to post and routing dissatisfied ones to internal feedback | Selective solicitation; potentially confirms PHI if patients are identified | FTC violation + HIPAA risk | | Offering discounts, gift cards, or prizes for reviews | Violates Google policy; may violate AKS if patients are Medicare/Medicaid beneficiaries | Google listing suspension + AKS penalty | | Posting patient testimonials on your website without written HIPAA authorization | Disclosure of PHI (patient identity + healthcare relationship) | $145–$2.19M per violation | | Responding to a negative review by referencing the patient's care details | Direct PHI disclosure, even if patient disclosed first | $23,000–$50,000+ (see enforcement cases) | | Having staff post fake reviews | Violates FTC Act § 5, Google policies, potentially state consumer protection laws | FTC fines + Google suspension |

A note about competitors: You may see hospice and home health agencies in your market doing several of these things. That doesn't make it legal — it means they haven't been caught yet. OCR investigations are often complaint-driven, and it takes only one disgruntled patient, family member, or former employee to file a complaint. In 2024, OCR resolved 22 enforcement actions. The average investigation takes 12–18 months. Your competitor sending post-discharge review request emails today may be writing a $50,000 check next year.

Building a Monthly Review Workflow {#monthly-workflow}

Consistency matters more than volume spikes. Google's algorithm rewards steady review growth — a sudden influx of 20 reviews in one week followed by months of silence looks suspicious and may trigger Google's spam detection. Here's a sustainable monthly workflow:

Week 1: Audit and respond

Check Google Business Profile for new reviews
Respond to every review using HIPAA-compliant templates (see Online Reviews and HIPAA for Home Health and Hospice for response frameworks)
Document response times — BrightLocal's 2026 Local Consumer Review Survey found that 32% of consumers expect a review response by the following day, and 81% expect a response within a week
Flag any reviews that may require escalation to your compliance officer

Week 2: Activate in-person asks

Brief field staff on the in-person ask script (Method 1)
Restock print cards in office areas and field staff vehicles (Method 2)
Identify upcoming community events where cards can be distributed (Method 5)

Week 3: Digital outreach

Send community newsletter with review request element (Method 3)
Share a Google review link on agency social media profiles
Check website review page for functionality and visibility (Method 4)

Week 4: Measure and adjust

Track review count, average rating, and response rate
Review staff compliance with solicitation guidelines
Report metrics to leadership alongside other marketing KPIs

Target cadence: Aim for 2–4 new reviews per month for agencies serving under 200 patients annually. For larger agencies, 4–8 per month is achievable. A steady cadence of 3 reviews per month will take an agency from 5 reviews to 41 reviews in one year — enough to dominate most local markets where competitors have single-digit counts.

How Many Reviews Do You Actually Need? {#how-many-reviews}

The answer depends on your market. Here's a framework based on competitive analysis and Whitespark's local search ranking factor data:

| Market Size | Typical Competitor Review Count | Your Target (Year 1) | Your Target (Year 2) | |-------------|-------------------------------|----------------------|----------------------| | Rural (under 100K population) | 0–5 reviews | 15–20 reviews | 30–40 reviews | | Suburban (100K–500K) | 5–15 reviews | 25–35 reviews | 50–75 reviews | | Urban (500K–2M) | 10–30 reviews | 40–60 reviews | 80–120 reviews | | Major metro (2M+) | 20–50+ reviews | 60–80 reviews | 120–200 reviews |

The "critical mass" threshold: Based on analysis of local pack rankings in healthcare markets, agencies with 20+ reviews and a 4.5+ star average consistently appear in Google's local pack ahead of competitors with fewer reviews — even when those competitors have been in business longer or have more web content. The BrightLocal 2026 survey found that 31% of consumers now require 4.5 stars or higher, up from 17% the previous year. This means maintaining a high average is as important as building volume.

Review recency matters too. Google weights recent reviews more heavily than older ones. An agency with 50 reviews, all from 2022, will rank lower than an agency with 25 reviews from the past 12 months. This is why the monthly workflow matters — you need a steady stream, not a one-time push.

Frequently Asked Questions {#faq}

Can I ask a patient directly to leave a Google review?

Yes, you can ask verbally and in person. What you cannot do is send an electronic communication (email, text, patient portal message) that confirms they are a patient and asks for a review. The in-person ask during a natural conversation is the safest method. Use language that doesn't explicitly confirm the patient relationship: "If you'd like to share your experience with our team, here's how to find us on Google" rather than "Please review the hospice care we provided to your mother."

Can I use a third-party review solicitation platform?

Only if the platform does not receive, store, or process PHI. If the platform integrates with your EHR to send automated review requests to patients, it's processing PHI and needs a Business Associate Agreement — and the outgoing messages still confirm the patient relationship, which is the core compliance issue. Most generic review solicitation platforms (Podium, Birdeye, etc.) are not designed with HIPAA in mind. If you use one, ensure it pulls from a general contact list, not clinical records, and that the messages don't reference care or treatment.

What if a patient asks how they can leave us a review?

This is the ideal scenario. When a patient or family member proactively asks how to leave a review, you can hand them a card, give them your Google Business Profile name, or show them the QR code. You're responding to their request, not initiating a solicitation. Just don't follow up electronically afterward.

Can I share positive Google reviews on our website or social media?

You can share reviews that are already publicly posted on Google, since the patient chose to make that information public. However, best practice is to share the review text and star rating without adding any additional context that confirms the person was a patient. Don't add a caption like "Thank you to Mrs. Johnson, who was our patient for three months" — just share the review as-is or with generic commentary like "We're grateful for this feedback."

Is it okay to respond to every Google review?

Yes, you should respond to every review — both positive and negative. Responding signals to Google that your listing is actively managed, which is a positive ranking factor. The key is that your responses must never confirm the reviewer was a patient, even if the reviewer states as much in their review. For detailed response templates, see Online Reviews and HIPAA for Home Health and Hospice.

How do I handle a fake or defamatory Google review?

Flag the review for removal through Google Business Profile using the "Flag as inappropriate" option. Google will review the content against its policies. You can also respond publicly with a brief, professional, HIPAA-compliant message: "We take all feedback seriously. We're unable to locate any record matching this review, but we'd welcome the opportunity to discuss any concerns. Please contact our office directly at [phone number]." This response communicates to readers that the review may be inauthentic without violating HIPAA.

Sources

This article is for educational purposes only and does not constitute legal advice. Consult a healthcare compliance attorney for guidance specific to your agency's situation.

Home Health and Hospice Owners Guide to Google Reviews, and HIPAA Safe Marketing

Google Reviews for Home Health and Hospice - HIPAA

Your NDPAP listing is already built to be compliant by design. Families searching for hospice and home health care find your agency through a trusted, AKS-clean directory — and every review you build on Google reinforces the visibility of your listing across the platforms that matter most. Claim your NDPAP listing →

The Post-Acute Owner's Guide to Google Reviews: HIPAA-Safe Methods Only

Table of Contents